Re: Problems with state syncronisation
Il giorno 14 feb 2005, alle 18:06, Ryan McBride ha scritto: On Mon, Feb 14, 2005 at 10:20:44AM +0100, Andrea Mistrali wrote: Those lines are always relative to broadcast addresses. What can it be? If a packet reaches both firewalls, they will both create state; when they each recieve the state creation message from the other, the state already exists and the insertion fails. You can ignore the messages, or modify your ruleset so that broadcast packets don't create synchronised states. Yeah! You're right! How stupid I'm :)) Thanks Andrea
blocking IP range Q
Hello I need to block certain IP's on my webserver. Can anyone point out how to do that. Here the IP address range I need to block (*-ed out the first three digits) ***.139.192.0 --***.139.223.255 Thanks for the help friends Dom __ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250
Borrow not working
Hello, everybody. We've been trying to get borrow to work for us, but despite our reading every reasonable piece of documentation, messages in this list and several web pages - trying to find a solution, it's still not working. We also tried to use the same PF configuration on BSD 3.3 and 3.6, with no success. Our pf.conf follows. It's a simple setup that intends to share 1MB of the available bandwidth between two hosts, guaranteeing a mimimum of 256Kbps for each. The issue is that even when all the bandwith is available, downloads won't borrow from the parent, as expected, and, therefore, won't go faster than 512Kbps. # - # Connections # fxp0 - 10.0.5.0/24 - LAN # xl0 - 10.0.0.200 - Ext # - # Definitions: Interfaces lan_if = fxp0 lan_gw = 10.0.5.1 ext_if = xl0 ext_gw = 10.0.0.200 # - # Firewall Options set limit { states 10, frags 5000 } set loginterface $lan_if scrub in all fragment reassemble no-df # # Queue altq on $lan_if bandwidth 10Mb cbq queue { std_down, ext_down } queue std_down bandwidth 1024Kb cbq(default) queue ext_down bandwidth 1024Kb { lan_down_1, lan_down_2 } queue lan_down_1 bandwidth 512Kb cbq(borrow) queue lan_down_2 bandwidth 512Kb # - # NAT nat on $ext_if from $lan_if:network to any - ($ext_if) # - # Filter # Default policy: block all traffic block log all # Allow loopback communication pass quick on lo0 all # - # Filter pass in on $lan_if proto tcp \ from $lan_if:network to any flags S/SA modulate state pass in on $lan_if proto { udp, icmp } \ from $lan_if:network to any keep state # For Machine 1 pass in on $lan_if proto tcp \ from 10.0.5.100 to any flags S/SA modulate state queue lan_down_1 pass in on $lan_if proto { udp, icmp } \ from 10.0.5.100 to any keep state queue lan_down_1 # For Machine 2 pass in on $lan_if proto tcp \ from 10.0.5.101 to any flags S/SA modulate state queue lan_down_2 pass in on $lan_if proto { udp, icmp } \ from 10.0.5.101 to any keep state queue lan_down_2 # Destination: This Host pass in on $lan_if from $lan_if:network to ($lan_if) keep state pass in on $ext_if from $ext_if:network to ($ext_if) keep state # Outbound Traffic Rules pass out on $ext_if inet proto tcp \ from any to any flags S/SA modulate state pass out on $ext_if inet proto { udp, icmp } \ from any to any keep state # - Any help would be VERY appreciated. Thanks a lot. Alexandre Ilha Network Administration TeleHUMANA Communications http://www.telehumana.com.br P.S.: The system that pf.conf is used on is _not_ my production firewall, so please don't flame me with that 'it's dangerous' talk... :-)
Re: blocking IP range Q
Sorry the CC: was incorrect. Kim Esben Jørgensen wrote: Hi Dominic Dominic Opferkuch wrote: Hello I need to block certain IP's on my webserver. Can anyone point out how to do that. Here the IP address range I need to block (*-ed out the first three digits) ***.139.192.0 --***.139.223.255 Thanks for the help friends Dom Convert to CIDR blocks. Perpahs you can use http://search.cpan.org/~mrsam/Net-CIDR-0.10/CIDR.pm i did. -- Mvh. Kim Esben Jørgensen
bridging, inbound load balancing CARP
Hi all, After some serious head scratching, lots of searching, and much brow furrowing, I can't find an answer to this simple question about bridges and load balancing with OpenBSD: Can one do inbound load balancing between a couple of web servers (box01 box02) when running two OBSD machines as bridging firewalls w/CARP on the front end? If not, is there some other way (without having the ISP route our /24 for us) for us to pull this off? FWIW in the present scenario below, I'm pointing to 208.12.17.225 with all our machines in /etc/mygate. The network looks like this: INTERNET /|\ | [ISP's ROUTER] (208.12.17.225/32-- Part of 208.12.17.224/29.)) /|\ | [MY SWITCH01] / \ / \ [gw1][gw2] (OBSD bridges 208.12.17.226 .227-- Part of 208.12.17.224/29.) /|\ /|\ | | [MY SWITCH02] /|\ /|\ | | [box01] [box02] (208.19.20.25 208.19.20.27--Part of 208.19.20.0/24) Thanks so much for your $.03 on this everyone. Kevin -- http://www.ebiinc.com : Employee Background Screening from EBI A leader in corporate background checks, worldwide.
Re: Can't even do an ls on a FTP server located on the WAN
On Mon, Feb 14, 2005 at 10:53:44PM -0600, eric wrote: On Tue, 2005-02-15 at 00:12:59 +0100, Nicolas proclaimed... I'm trying to connect to an FTP server located on the WAN, from a box which is located in my local network. But I can't even do an ls. I can connect, but then, I can't do anything on the FTP server. Post your pf.conf. Unfortunately, the floppy disk is broken on my bastion. Since the pf.conf is around 15ko, I'll avoid typing it... ;-) However, here's the rule I added for the FTP: pass in quick on $name_itf_ext inet proto tcp from port 20 to ($name_itf_ext) user proxy flags S/SA keep state Here are the tcpdump -n -e -ttt -r /var/log/pflog output when I try to connect to the FTP server located on the WAN, from my client: Feb 15 19:57:10.770100 rule 0/0(match): block in on ep0: 213.246.62.4.36105 192.168.14.26.113: S 3830247271:3830247271(0) win 5840 mss 1420,sackOK,timestamp[|tcp} (DF) Feb 15 19:57:13.768532 rule 0/0(match): block in on ep0: 213.246.62.4.36105 192.168.14.26.113: S 3830247271:3830247271(0) win 5840 mss 1420,sackOK,timestamp[|tcp] (DF) Here's what appear on the screen, also: Feb 15 19:58:36 bastion ftp-proxy[28303]: connect() failed (No route to host) Here's the gftp output when I try to connect to the FTP server (which is ftp.europephoto.com): Recherche de ftp.europephoto.com Essai avec heb62004.ikoula.com:21 Connecté sur ftp.europephoto.com:21 220 ProFTPD 1.2.9 Server (ProFTPD) [heb62004.ikoula.com] USER 331 Password required for . PASS 230 User logged in. SYST 215 UNIX Type: L8 TYPE I 200 Type set to I PWD 257 / is current directory. Loading directory listing / from server ([EMAIL PROTECTED]) PASV 227 Entering Passive Mode (192,168,14,26,206,94) LIST -aL Déconnexion de l'hôte ftp.europephoto.com Invalid response ' Here's a line for ftp-proxy in /etc/inetd.conf: 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy frp-proxy -n -D 3 Here's what written in /var/log/daemon: Feb 15 19:57:10 bastion ftp-proxy[28303]: accepted connection from 192.168.11.26:34681 to 213.246.62.4:21 Feb 15 19:58:36 bastion ftp-proxy[28303] connect() failed (No route to host) =( I sent an email to ikoula.com, which host my website and the ftp server. I asked them what passive ports are defined in their proftpd.conf file. They told me it's the port 21, but I'm not quite sure they clearly understood what information I asked for... :-/ The REALLY strange thing is that I can connect to any other FTP server, including ftp.debian.fr. Moreover, I never had to set up ftp-proxy on my OpenBSD bastion to access FTP servers located on the WAN, from my LAN computer. I set it up yesterday, because I thought it could solve my problem with connecting to ftp.europephoto.com... :-/ By the way, I use OpenBSD 3.5. Do you have any idea? Don't hesitate to ask me for any other information you could need. Thank you for your help. Nicolas, Paris. -- --- OxStOnE -- O - Z750 Linux --- ._ /\_ --- Powered -- (x) (x)
Re: blocking IP range Q
On Tue, Feb 15, 2005 at 09:42:40AM -0800, Dominic Opferkuch wrote: Hello I need to block certain IP's on my webserver. Can anyone point out how to do that. Here the IP address range I need to block (*-ed out the first three digits) ***.139.192.0 --***.139.223.255 Thanks for the help friends generically: block drop in quick inet from ***.139.192.0/19 to any -j -- English - Who needs that? I'm never going to England! --The Simpsons
Good HFSC explanation
Is there a clear HFSC explanation somewhere, with real simple examples? Preferably that apply directly to PF which uses three SC types, not two. I've found plenty of documents, but they're all high-level overview slideshows that are a bit hard to fathom. -- Bob
Re: altq fishiness
Jason Murray wrote: As I understand it the two child ssh queues should just use up all the bandwidth from the parent. I couldn't get CBQ to use up all of the bandwidth. Even when only one queue had any traffic, the bandwidth was never getting saturated. Possibly (probably) it was something I was doing wrong. But I've changed to HFSC now, and my broadband line is saturated with traffic. So I'm happy. I have to admit, though, that I couldn't find any simple explanation of HFSC with regard to PF, so I had to guess my way through setting it up. -- Bob
Re: using altq for rate limiting on certain ports across multiple
darren david wrote: My /guess/ is that i need 2 queues - one on $EXT_IF inbound and one on $PRIV_IF outbound. Or perhaps i simply need to be tagging packets? $PRIV_NET is NATed, as one might expect. You seem to be confused, as I was, about the possibilities of the queue mechanism. You cannot queue packets coming into your firewall / shaper. Once they have arrived, it is too late to ask them not to arrive. No doubt your ISP is using queuing of some sort, but you have no influence over that. So, first of all, you need to realise that you can only queue stuff *leaving the firewall*. Secondly, now you know this, you need to realise that you needn't consider queues that affect both interfaces. It's not possible to have a queue that affects an internal and external interface (because you cannot queue packets entering the firewall), so you don't need to worry about trying to accomplish this. If what you are hoping to do is limit the download bandwidth of a machine on $PRIV_NET, for instance $dev_box, you just limit the rate that $dev_box can draw packets out of the firewall. Which requires only a queue that affects $PRIV_IF, because (sing along now) you cannot affect the rate at which packets are received from your ISP. If you want to limit the upload rate of $dev_box, then you want a queue that acts on $EXT_IF. Because NAT is working on $EXT_IF, you will not be able to check the local address of packets on $EXT_IF, so if you need to limit the upload rate of a specific private address, tag those packets using a rule that acts on the internal interface. Tags in PF remain the whole time the packet is in the firewall, and are not transmitted outside of the firewall. Because of what is described above, it is probably not possible to precisely limit the download rate of the firewall machine (when downloading CVSup data, for instance). It might be possible to reduce the downstream bandwidth the firewall uses by limiting its upstream bandwidth (which is tricky because a packet can only be tagged once), but unless your firewall is likely to be downloading a lot, it's probably unnecessary to do so. Hopefully I haven't confused you worse than before. I've just finished (well, tinkering continues) configuring my PF firewall, so for the moment I'm full of wisdom that will quickly fall out of my spongy brain. -- Bob
Re: Good HFSC explanation
On Fri, Feb 11, 2005 at 15:39 +, Bob wrote: Is there a clear HFSC explanation somewhere, with real simple examples? Preferably that apply directly to PF which uses three SC types, not two. I've found plenty of documents, but they're all high-level overview slideshows that are a bit hard to fathom. -- Bob Search the archives of this list for ``Specific HFSC questions'' thread. Jared did a lot of work, thanks.
Re: Good HFSC explanation
On Fri, Feb 11, 2005 at 03:39:17PM +, Bob wrote: Is there a clear HFSC explanation somewhere, with real simple examples? Preferably that apply directly to PF which uses three SC types, not two. I've found plenty of documents, but they're all high-level overview slideshows that are a bit hard to fathom. i myself am still learning about HFSC, and experimenting, however if you search pf list archives for 'jared hfsc', you can see a lot of posts by me or in re: to me about HFSC. of note: http://marc.theaimsgroup.com/?l=openbsd-pfm=105691519510241w=2 http://marc.theaimsgroup.com/?l=openbsd-pfm=107936788832658w=2 http://marc.theaimsgroup.com/?l=openbsd-pfm=110488079304643w=2 jared -- [ openbsd 3.6 GENERIC ( jan 13 ) // i386 ]
Re: altq fishiness
On Thu, Feb 10, 2005 at 07:59:31PM +, Bob wrote: I couldn't get CBQ to use up all of the bandwidth. Even when only one queue had any traffic, the bandwidth was never getting saturated. ... Possibly (probably) it was something I was doing wrong. But I've changed to HFSC now, and my broadband line is saturated with traffic. So I'm happy. remove 'red' and see if it saturates the bandwidth of the queue. red is something i liked the sound of, but stopped using because i think i didn't understand fully its implications on a bandwidth-queue. afaict, if red is on a cbq(/hfsc?) queue which is designed as a bandwidth partition, the bandwidth consumed by the queue will never reach the cap, but will be reduced with some calculus asymptote lines or something as it approaches it. could be way wrong too - i'm going on my interpretation of the effect it had on queues as i watched/tested them. I have to admit, though, that I couldn't find any simple explanation of HFSC with regard to PF, so I had to guess my way through setting it up. hfsc has a very steep learning curve, but i believe that is partially its nature. for me it seems it demands you get your head around it, rather than trying to be a bit easier to understand and missing a bit of the picture. the crossbow site is excellent for this, but seems to take several reads through to sink in fully. jared -- [ openbsd 3.6 GENERIC ( jan 13 ) // i386 ]
Re: Borrow not working
Alexandre Ilha wrote: Hello, everybody. We've been trying to get borrow to work for us, but despite our reading every reasonable piece of documentation, messages in this list and several web pages - trying to find a solution, it's still not working. We also tried to use the same PF configuration on BSD 3.3 and 3.6, with no success. I couldn't get the CBQ scheduler (I'm in FreeBSD 5.3 which I believe uses the same underlying code as OpenBSD - ALTQ) to share out bandwidth reliably. It wouldn't use all the bandwidth available, even if there was only one queue in use. I switched to the HFSC scheduler, and I'm very happy with it. I haven't been able to find any decent documentation for it with specific regard to PF, but I read enough theoretical overview documents to have a bit of a clue. Seems a shame not to have a good document for PF and HFSC, though. -- Bob
A PF lecture/tutorial - work in progress
Hi, I've completed an English version of my PF lecture manuscript (with slight updates) originally written for a 1 1/2-2 hour session at BLUG. The material is available in various formats, English: http://www.bgnett.no/~peter/pf/en/pf-firewall.pdf (full manuscript, pdf) http://www.bgnett.no/~peter/pf/en/ (full manuscript, html) http://www.bgnett.no/~peter/pf/en/foils/ (foils, html) Norwegian: http://www.bgnett.no/~peter/pf/no/pf-brannmur.pdf (full manuscript, pdf) http://www.bgnett.no/~peter/pf/no/ (full manuscript, html) http://www.bgnett.no/~peter/pf/no/foils/ (foils, html) At this point I'm not confident it's publishing quality, but I'd love to hear comments of any kind. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales
Re: Can't even do an ls on a FTP server located on the WAN
On Tue, Feb 15, 2005 at 07:58:05PM +0100, Nicolas wrote: Post your pf.conf. Unfortunately, the floppy disk is broken on my bastion. Since the pf.conf is around 15ko, I'll avoid typing it... ;-) can you ftp/scp it off and just post on the www somewhere? that sometimes seems to fly for things very large. Feb 15 19:57:10.770100 rule 0/0(match): block in on ep0: 213.246.62.4.36105 192.168.14.26.113: S 3830247271:3830247271(0) win 5840 mss 1420,sackOK,timestamp[|tcp} (DF) Feb 15 19:57:13.768532 rule 0/0(match): block in on ep0: 213.246.62.4.36105 192.168.14.26.113: S 3830247271:3830247271(0) win 5840 mss 1420,sackOK,timestamp[|tcp] (DF) that looks like they're pulling an ident lookup on you. $ grep 113 /etc/services auth113/tcp authentication tap ident don't know offhand if that's where it is dying., given the timestamps, i don't think so, as they pull an indent on you upon the initial connection, not upon your LIST. Here's what appear on the screen, also: Feb 15 19:58:36 bastion ftp-proxy[28303]: connect() failed (No route to host) so if ftp-proxy can talk to 213.246.62.4:21 from 192.168.11.26... Here's what written in /var/log/daemon: Feb 15 19:57:10 bastion ftp-proxy[28303]: accepted connection from 192.168.11.26:34681 to 213.246.62.4:21 Feb 15 19:58:36 bastion ftp-proxy[28303] connect() failed (No route to host) i'm wondering why it is trying to make a connection out on a different socket pair? i'm thinking that however pf is setup, it is probably allowing out the first connection from ftp-proxy; that it is failing on that second part makes me wonder about what connection really was blocked; would have to be an outgoing one from ftp-proxy to somewhere. if it was incoming, and was blocked, ftp-proxy wouldn't know. try to see if there's something in the /var/log/pflog you skipped? Here's a line for ftp-proxy in /etc/inetd.conf: 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy frp-proxy -n -D 3 for active mode connections, you would need to allow in pf, say, 'from tcp remote ftp IP port 20 to $intIf:network user proxy'., but that rule is only for active connections, doesn't matter for passive. However, here's the rule I added for the FTP: pass in quick on $name_itf_ext inet proto tcp from port 20 to ($name_itf_ext) user proxy flags S/SA keep state ok, that's that.. are you blocking everything by default on bastion, not just inbound? is there a chance that the connection from ftp-proxy back to your LAN was blocked? jared -- [ openbsd 3.6 GENERIC ( jan 13 ) // i386 ]
Re: Can't even do an ls on a FTP server located on the WAN
One more information: When doing a netstat | more, I see that line: tcp 0 0 192.168.14.26.62843 heb62004.ikoula..ftp CLOSE_WAIT I killed ftp-proxy and restarted inetd, but I still get the same problem. Could my problem come from the fact that my network is like that: [FTP CLIENT]--[DEBIAN]--[OBSD BASTION]-WAN[FTP SERVER] The Debian machine does ftp masquerading, but I don't see anything anormal on that machine. The error message on the bastion, in /var/log/daemon, is: ftp-proxy[18326]: connect() failed (No route to host) What host is that? From the bastion, there're no problem at all with routes to the Debian machine or the FTP server... Please, do you have any solution? Thank you. Nicolas. -- --- OxStOnE -- O - Z750 Linux --- ._ /\_ --- Powered -- (x) (x)
Re: Can't even do an ls on a FTP server located on the WAN
On Tue, Feb 15, 2005 at 06:50:51PM -0700, jared r r spiegel wrote: ... However, here's the rule I added for the FTP: pass in quick on $name_itf_ext inet proto tcp from port 20 to ($name_itf_ext) user proxy flags S/SA keep state ok, that's that.. are you blocking everything by default on bastion, not just inbound? is there a chance that the connection from ftp-proxy back to your LAN was blocked? Jared, You're right, everything is blocked by default on the bastion, not just inbound but also outbound! What ports, hosts and direction should I allow, in your opinion? I now hope we're approaching a solution! Your help is greatly appreciated! Nicolas, Paris. -- --- OxStOnE -- O - Z750 Linux --- ._ /\_ --- Powered -- (x) (x)